Data Protection & Privacy Laws 2016

Data protection is a key issue in the digital business world. Given the technological advances in recent years, from the proliferation of smart devices to the advent of cloud computing, individuals and companies are producing huge amounts of data, and the task of safeguarding it all is increasingly difficult and fraught with risk.

UNITED STATES

Alan L. Friel

BakerHostetler

“With electronic data an important and valuable asset and data collection, exploitation and sharing becoming increasingly pervasive, organisations are becoming increasingly aware that they should review legal and self-regulatory requirements whenever they are involved in consumer or employee data collection, use, processing, storage or transfer or in transactions where data assets or activities are involved. In addition, consumer data privacy and security issues, including many high profile security breaches, have recently spawned consumer class action and shareholder derivative lawsuits involving various tort and unfair business practices theories, the viability of which are not yet settled.”

MEXICO

Fernando Roman Sandoval

PwC Mexico

“Most companies in Mexico are addressing this problem from a compliance rather than a risk perspective. In many cases, they feel comfortable with a privacy notice and a person in charge of privacy, among other functions. It is strange that a lot of companies that have privacy notices do not have a privacy policy. How then, do companies that utilise privacy notices enforce them if there are no policies, procedures or controls related to them? The duties associated with privacy notices are more related to cyber security matters than to privacy and confidentiality. Many companies in the region have not yet come to understand the difference between privacy, confidentiality and security.”

UNITED KINGDOM

Stephanie Iyayi

Hunton & Williams LLP

“As part of society’s growing interest in the ethics of big business, a company’s reputation is increasingly tied to how well it respects and takes care of the personal data it processes. As such, data protection and cyber security is now one of the hot issues on the boardroom agenda and companies are allocating more resources to manage that risk more effectively. Over the years, we have seen data protection and cyber security moving from an IT responsibility to a broader organisational responsibility, with relevant departments playing their part. While companies are keen to roll out appropriate policies and procedures, more attention needs to be given to raising awareness of data protection and cyber security among all staff.”

FRANCE

Claire François

Hunton & Williams LLP

“Generally speaking, the recent sanctions and formal notices served by the French Data Protection Authority (CNIL) reveal that even large companies have not taken all appropriate measures and therefore have not paid enough attention to data protection risks. It should be noted that it is a constant challenge for companies to ensure full compliance with their data protection obligations, in particular as these obligations are evolving. Most companies, if not all, are currently figuring out how to implement the new accountability obligations under the European General Data Protection Regulation (GDPR) that will apply from 25 May 2018. The number of contributions to the CNIL’s public consultation on the GDPR in June 2016 shows a need for clarification.”

SPAIN

María Vidal

Deloitte Legal

“To date, data protection obligations have not generally been a topic that companies have been extensively concerned about. They were aware that there were a series of requirements with which they had to comply and, based on the type of data they processed, certain compliance audits to which they were subject, but it was not a risk to which they paid too much attention or took into consideration in their day-to-day business. From my point of view, things are changing. Companies are starting to experience first-hand incidents that affect the confidentiality of their information, credentials leaks and intentional attacks, with consequences that give rise to economic and reputation loss at companies.”

BELGIUM

Wim Nauwelaerts

Hunton & Williams LLP

“Over the past year, we have seen a major increase in the attention companies have been paying to potential privacy risk and data protection compliance. This evolution was mainly triggered by the adoption of the EU General Data Protection Regulation (GDPR) in April 2016. The fact that under the GDPR, data protection authorities will be able to impose fines of up to €20m or 4 percent of a company’s worldwide annual turnover, has moved data protection compliance up the agenda of many companies. Firms are stepping up their efforts to understand and prepare for their obligations under the GDPR, but this often proves to be a challenge – particularly given the lack of regulatory guidance on the many new obligations that the GDPR introduces.”

GERMANY

Dr Jochen Lehmann

GÖRG

“Recent surveys have shown that data protection and data security are receiving much more attention – and resources – than in the past. Nevertheless, a significant number of companies are still of the opinion that data protection and data security impede them from striving for successful business performance. Too often, clients argue that data protection and data security are an unnecessary and very costly burden to any business. This not only relates to the relationship with customers but also to the internal handling of data. Sometimes convenience supersedes the legal requirements for handling of data and, in particular, the use of equipment.”

ITALY

Dino Ponghetti

PwC Italy

“Data protection continues to be an issue at board level. According to our 2015 Global State of Information Security survey, 29.6 percent of European board of directors actively participated in a review of current security and privacy risk, while 44.2 percent participated in defining their company’s overall security strategy. In 2016, the board’s involvement in security is increasing, with specific topics such as security budget, overall security strategy, security policies, security techniques and the review of security and privacy risks all now a board level concern. Within the Italian market, more specifically, the increased focus on data protection among companies is undoubtedly linked to the increasing number of inspections made by the Italian privacy regulator.”

TURKEY

Cüneyt Kirlar

Deloitte

“The Turkish privacy law was published in the Turkish Official Gazette in April 2016 and entered into force at the same time, except for some provisions that followed six months later. As a consequence, the first phase of compliance with the law completed on October 2016. The law has been constituted in line with the relevant EU directive. Considering the enactment and publication of the new law of ‘Protection of Personal Data Law’, the maturity level of firms regarding compliance is still low. Discussions around the privacy law have continued for many years at a political and investor level, but various reasons have caused delay. The financial services and telecom industries are more aware of and ready to comply with the law than other industries, as they are already subject to specific regulations.”

ISRAEL

Haim Ravia

Pearl Cohen Zedek Latzer Baratz

“Companies are growing more aware of the obligations arising from privacy and data protection laws. First, high-profile cyber attacks and data breaches have helped increase awareness of cyber and data protection among companies in Israel. Second, Israeli data-driven companies that face customers outside Israel are experiencing growing exposure to data protection and privacy requirements in the global marketplace. This is particularly true for Israeli business-to-business companies seeking European or US clientele. Companies are faced with foreign customers that demand that appropriate attention be given to data protection and privacy issues. Third, over the past year Israel’s privacy regulator, the Israeli Law Information and Technology Authority (ILITA), has begun engaging in more proactive enforcement and regulatory activities.”

INDIA

Ameet Datta

Saikrishna & Associates

“The Indian government’s focus on ‘Digital India’ has brought the need for information security into the spotlight. While the Information Technology Act, 2000 contains provisions to penalise companies for laxity in implementing data protection measures, there is a need to increase and strengthen the enforcement of these provisions. India is not only a target of, but also a source for, cyber crime attacks – there was an increase of almost 350 percent in cyber crime incidents between 2011 and 2014 and almost 50,000 security incidents were reported by the Indian Computer Emergency Response Team (CERT-In) in 2015. The Telecom Regulatory Authority of India has also recently highlighted the growing importance of cloud computing and the need to mitigate the attendant risk to data security.”

CHINA

Manuel E. Maisog

Hunton & Williams LLP

“In mainland China, it is hard to give a single consistent answer because China’s data privacy framework is emerging on a patchwork, sector-by-sector basis. As such, it is likely that companies in some sectors are becoming aware of the risks and duties associated with data protection, while companies in other sectors may have little awareness of the same risks and little incentive to develop any awareness of them. On the whole, however, it is probably true that companies in mainland China are not as aware of the risks and duties of confidentiality and privacy as they should be.”

TAIWAN

Chin-Jui Chang

PwC Taiwan

“Taiwan passed the Personal Data Protection Act (PDPA) in April 2010 and it came into force in October 2012. The PDPA applies to all companies, individuals and public organisations and is a milestone piece of legislation. After three years of PDPA enforcement, the awareness of data protection practices varies by sector. Taiwanese government authorities are forcing those companies that hold a large amount of personal data, such as telecoms, e-commerce and especially firms in the financial services industry, to implement data protection measures, hence why those companies have committed additional resources to protect data privacy under the PDPA compared to other companies.”

JAPAN

Takashi Nakazaki

Anderson Mori & Tomotsune

“Since the Act on Personal Information Protection was enacted in 2005, companies in Japan have paid a great deal of attention to the risks associated with data protection. Though there have been data leak incidents in recent years, Japanese companies have begun to fully understand the risks associated with data protection. The Benesse incident was particularly shocking. In 2014, Benesse Holdings, Japan’s largest correspondence education provider, suffered a data breach which affected over 20 million customers. The names, addresses, email addresses and telephone numbers of millions of customers were stolen and sold to a data broker by a former employee of a third-party contracted by Benesse.”

MALAYSIA

Tan Cheng Yeong

PwC Malaysia

“Since the introduction of the Personal Data Protection Act (PDPA) in November 2013, companies in Malaysia have slowly begun to recognise the business and reputational value involved in data protection. However, many companies still lack the knowledge needed to identify the risks, exposures and associated safeguards they must have in place to address confidentiality and privacy issues. Generally, controls over hardcopy data are sufficient; however, the opposite can be said for digital data. Issues such as how data is protected in third-party storage, how and where information is collected, and the lack of standard operating procedures in handling the inflow and outflow of digital data, are still common gaps among the larger companies in Malaysia.”

SINGAPORE

Tan Shong Ye

PwC Singapore

“The Singapore Personal Data Protection Act (PDPA), established in 2012, aims to protect the personal data of individuals, while maintaining the needs of private companies to collect and use such data for legitimate and reasonable purposes. Prior to the introduction of the PDPA, many companies in Singapore paid some attention to data protection risks as these companies typically operated in jurisdictions that have established data protection laws, or the corporations are regulated by a sectoral regulator in Singapore that introduced guidelines to safeguard the security of the customer’s data. With the introduction of the PDPA, companies have become more aware of their duties surrounding confidentiality and privacy, not only because there is now a legal obligation.”

AUSTRALIA

Grace Guinto

PwC Australia

“As the cyber threat landscape has evolved, we have seen Australian companies and their boards continue to look for ways to get a better handle on how to oversee cyber security and data protection risk. Boards understand the potential reputational damage a breach can do, but there is often a knowledge and translation deficit on the technical, security and operational factors that led to the breach event, which can weigh on directors. Boards are being increasingly proactive in asking the right questions and seeking guidance from the company’s senior security and privacy stakeholders, such as the chief information officer (CIO), chief information security officer (CISO) and chief privacy officer (CPO), which is further supplemented by outside expertise and counsel.”